b"\x0c                                      Table of Contents\n\nSection                                                                               Page\n\n   I      EXECUTIVE SUMMARY                                                                     1\n\n  II      BACKGROUND                                                                            2\n\n  III     OBJECTIVE                                                                             3\n\n  IV      METHODOLOGY AND SCOPE                                                                 3\n\n  V       RESULTS IN DETAIL                                                                     5\n\n               1.     NCUA needs to improve its Continuous Monitoring Program                    5\n\n               2.     NCUA needs to improve its Risk Management Program                         7\n\n               3.     NCUA needs to improve its Plan of Action and Milestones                   9\n                      (POA&M) Process\n\n               4.     NCUA needs to improve its Configuration Management                        11\n                      Program\n\n               5.     NCUA needs to improve its Identity and Access                             12\n                      Management Controls\n\n               6.     NCUA needs to improve Remote Access Controls                              14\n\n               7.     NCUA needs to improve its Incident Response and                           16\n                      Reporting Process\n\n               8.     NCUA needs to improve its Contingency Planning process                    17\n\n               9.     NCUA needs to improve its Security Capital Planning and                   19\n                      Investment Program\n\n               10.    NCUA needs to improve its Security Awareness Training                     21\n                      Program\n\n               11.    NCUA needs to improve Oversight of its Contractor Systems                 22\n\n               12.    NCUA needs to improve its Privacy Program                                 23\n\n\n\n\n                                                           Restricted \xe2\x80\x93 For Official Use Only\n                                               i\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n                              I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Mitchell & Titus, LLP (Mitchell & Titus), to independently evaluate\nNCUA\xe2\x80\x99s information systems and security program and controls for compliance with the\nFederal Information Security Management Act (FISMA), Title III of the E-Government\nAct of 2002.\n\nMitchell & Titus evaluated NCUA\xe2\x80\x99s security program through interviews, documentation\nreviews, technical configuration reviews, and sample testing. Mitchell & Titus evaluated\nNCUA against such laws, standards, and requirements as those provided through\nFISMA, the E-Government Act, National Institute of Standards and Technology (NIST)\nstandards and guidelines, the Privacy Act, and Office of Management and Budget\n(OMB) memoranda and security and privacy policies.\n\nWhile NCUA has worked to further strengthen its information security program during\nFiscal Year (FY) 2012, we identified three issues remaining from last year\xe2\x80\x99s FISMA\nevaluation that NCUA officials need to address:\n\n   \xe2\x80\xa2   Developing a Continuous Monitoring strategy and plan;\n   \xe2\x80\xa2   Reviewing (and reducing) holdings of Personally Identifiable Information; and\n   \xe2\x80\xa2   Addressing the minimum security controls in the Asset Management and\n       Assistance Center Security Plan.\n\nIn addition, we identified new findings in each of the following areas and made 29\nrecommendations where NCUA could continue to improve its information security and\nprivacy programs:\n\n   \xe2\x80\xa2   Continuous Monitoring\n   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Plan of Actions and Milestones (POA&M)\n   \xe2\x80\xa2   Configuration Management\n   \xe2\x80\xa2   Identity and Access Management\n   \xe2\x80\xa2   Remote Access Management\n   \xe2\x80\xa2   Incident Response and Reporting\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Security Capital Planning\n   \xe2\x80\xa2   Security Training\n   \xe2\x80\xa2   Contractors Systems\n   \xe2\x80\xa2   Privacy\n\nWe appreciate the courtesies and cooperation provided to our staff and Mitchell & Titus\nstaff during this audit.\n\n\n\n\n                                                          Restricted - For Official Use Only\n                                            1\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n                                             II. BACKGROUND\n\nThis section provides background information on the Federal Information Security\nManagement Act (FISMA) and the National Credit Union Administration (NCUA).\n\nFederal Information Security Management Act\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. The Federal Information\nSecurity Management Act (FISMA) permanently reauthorized the framework laid out in\nthe Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. FISMA continues the annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further\nstrengthening the security of the Federal government\xe2\x80\x99s information and information\nsystems, such as development of minimum standards for agency systems. In general,\nFISMA:\n\n    \xe2\x80\xa2   Lays out a framework for annual information technology security reviews,\n        reporting, and remediation plans.\n    \xe2\x80\xa2   Codifies existing OMB security policies, including those specified in Circular\n        A-130, Management of Federal Information Resources, and Appendix III.\n    \xe2\x80\xa2   Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n        Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996.\n    \xe2\x80\xa2   Tasks NIST with defining required security standards and controls for Federal\n        information systems.\n\nThe Department of Homeland Security (DHS) issued the FY 2012 reporting metrics\n(February 14, 2012), which provide measures against which agency Chief Information\nOfficers, Offices of Inspector General, and Senior Agency Officials for Privacy assess\nthe status and compliance of agencies\xe2\x80\x99 information security and privacy management\nprograms. 1 OMB issued the FY 2012 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management on October 2, 2012. This\ndocument provides instructions to agencies for meeting its reporting requirements under\nFISMA. In addition, it includes instructions for reporting on agencies\xe2\x80\x99 privacy\nmanagement programs. Furthermore, it includes clarifications to help agencies\nimplement and meet FISMA and privacy requirements.\n\nNational Credit Union Administration (NCUA)\n\nNCUA is the independent Federal agency that charters, supervises, and insures the\nnation\xe2\x80\x99s Federal credit unions. NCUA insures many state-chartered credit unions as\nwell. NCUA is funded by the credit unions it supervises and insures. NCUA's mission is\nto foster the safety and soundness of Federally-insured credit unions and to better\n\n\n1\n DHS is exercising primary responsibility within the Executive Branch for the operational aspects of Federal agency\ncyber security with respect to the Federal information systems that fall within FISMA under 44 U.S.C. \xc2\xa73543.\n\n                                                                            Restricted - For Official Use Only\n                                                         2\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nenable the credit union community to extend credit for productive and provident\npurposes to all Americans, particularly those of modest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\nNCUA has a full-time three-member Board (NCUA Board) consisting of a chairman and\ntwo members. The chairman is appointed by the President of the United States and\nconfirmed by the Senate. No more than two board members can be from the same\npolitical party, and each member serves a staggered six-year term. The NCUA Board\nregularly meets in open session each month, with the exception of August, in\nAlexandria, Virginia.\n\n                                     III. OBJECTIVE\n\nThe audit objective was to assist the OIG in performing an independent evaluation of\nNCUA information security and privacy management policies and procedures for\ncompliance with FISMA and Federal regulations and standards. We evaluated NCUA\xe2\x80\x99s\nefforts related to:\n\n   \xe2\x80\xa2   Efficiently and effectively managing its information security and privacy\n       management programs;\n\n   \xe2\x80\xa2   Meeting responsibilities under FISMA;\n\n   \xe2\x80\xa2   Remediating prior audit weaknesses pertaining to FISMA and other security\n       weaknesses identified; and\n\n   \xe2\x80\xa2   Implementing its Plans of Action and Milestones (POA&M)\n\nIn addition, the audit was required to provide sufficient supporting evidence of the status\nand effectiveness of NCUA\xe2\x80\x99s information security and privacy management programs to\nenable the OIG to report to OMB.\n\n                          IV. METHODOLOGY AND SCOPE\n\nWe evaluated NCUA\xe2\x80\x99s information security and privacy management programs and\npractices against such laws, standards, and requirements as those provided through\nFISMA, the E-Government Act, NIST standards and guidelines, the Privacy Act, and\nOMB memoranda and security and privacy policies.\n\nDuring this audit, we assessed NCUA information security and privacy management\nprograms in the areas identified in The Department of Homeland Security\xe2\x80\x99s FY 2012\n\n                                                           Restricted - For Official Use Only\n                                             3\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nInspector General FISMA Reporting Metrics. These areas included: risk management,\nconfiguration management, incident response and reporting, security training, POA&M,\nremote access management, identity and access management, continuous monitoring\nmanagement, contingency planning, contractor systems, and security capital planning.\n\nWe conducted our fieldwork from August 2012 through October 2012. We performed\nour audit in accordance with generally accepted government auditing standards. The\nstandards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\n\n\n\n                                                          Restricted - For Official Use Only\n                                            4\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n                                          V. RESULTS IN DETAIL\n\nInformation security and privacy program planning and management controls are\ndesigned to provide the framework and continuing cycle of activity for managing risk,\ndeveloping security and privacy policies, assigning responsibilities, and monitoring the\nadequacy of information security- and privacy-related controls. NCUA has made\nprogress in addressing last year\xe2\x80\x99s reported deficiencies; however, some prior year\ndeficiencies remain. In addition, we identified other areas for improvement that require\nmanagement's attention. We discuss these issues below.\n\n1. NCUA needs to improve its Continuous Monitoring Program\n\nNCUA has some automated tools (e.g., intrusion detection, Secure Content Automation\nProtocol), and policies and procedures that would be components of a continuous\nmonitoring program. However, NCUA has not completely implemented a Continuous\nMonitoring strategy and plan. Specifically, NCUA has not documented Continuous\nMonitoring policies and procedures and has not fully integrated the various components\nof its information security program into a strategy that facilitates near real-time\nmonitoring and risk management. This is a repeat finding from the 2011 FISMA\nevaluation. This finding includes issues in the following areas that we address in other\nsections of the report.\n\n    \xe2\x80\xa2    Risk management policies and procedures (see page 7);\n\n    \xe2\x80\xa2    Plans of Action and Milestones (see page 9);\n\n    \xe2\x80\xa2    Configuration and patch management of Macintosh computers (see page 11);\n\n    \xe2\x80\xa2    Inventory of contractor systems (see page 22); and\n\n    \xe2\x80\xa2    Privacy (see page 23).\n\nIn FY 2011, the Administration identified Continuous Monitoring as one of three FISMA\npriorities. 2 In FY 2012, Continuous Monitoring is again identified as one of the three\npriorities having the greatest probability of success in mitigating cyber security risks to\nagency information systems.\n\nNIST SP 800-53 guides that agencies should establish a continuous monitoring strategy\nand implement a continuous monitoring program that includes: A configuration\nmanagement process for the information system and its constituent components; a\ndetermination of the security impact of changes to the information system and\nenvironment of operation; ongoing security control assessments in accordance with the\norganizational continuous monitoring strategy; and reporting the security state of the\ninformation system to appropriate organizational officials.\n2\n The Administration\xe2\x80\x99s other two priorities are Trusted Internet Connection capabilities and traffic consolidation, and\nHomeland Security Presidential Directive (HSPD)-12, implementation for logical access control.\n\n                                                                               Restricted - For Official Use Only\n                                                           5\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n\nNIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal\nInformation Systems and Organizations (September 2011), guides that Information\nSecurity Continuous Monitoring (ISCM) supports agency risk management decisions\ne.g., risk response decisions, ongoing system authorization decisions, Plans of Action\nand Milestones (POA&M) resource and prioritization decisions, etc. It also indicates\nthat maintaining an up-to-date view of information security risks across an organization\nrequires the involvement of the entire agency, from senior leaders providing governance\nand strategic vision to individuals developing, implementing, and operating individual\ninformation systems in support of the organization\xe2\x80\x99s core missions and business\nfunctions.\n\nNIST SP-800-37, Revision 1, Guide for Applying the Risk Management Framework to\nFederal Information Systems: A Security Life Cycle Approach (February 2010), guides\nthat a robust continuous monitoring program requires the active involvement of\ninformation system owners and common control providers, chief information officers,\nsenior information security officers, and authorizing officials. The monitoring program\nallows an organization to: track the security state of an information system on a\ncontinuous basis; and maintain the security authorization for the system over time in\nhighly dynamic environments of operation with changing threats, vulnerabilities,\ntechnologies, and missions/business processes.\n\nBy improving and implementing a comprehensive continuous monitoring program,\nNCUA will be more aware of and better prepared to respond to potential threats and\nvulnerabilities. Ultimately, NCUA will be able to better protect the confidentiality,\nintegrity, and availability of its systems and data.\n\nRecommendation: We recommend that NCUA management:\n\n1. Document and implement comprehensive continuous monitoring strategies, policies\n   and procedures in accordance with guidance under Information Security Continuous\n   Monitoring, the Risk Management Framework and other NIST guidance.\n\nAgency Response:\n\nOCIO will update procedures to further address this issue. OCIO will conduct an\nanalysis of the Risk Management Framework and adjust policies and procedures\naccordingly.\n\nDue Date: TBD\n\nOIG Response: The OIG concurs.\n\n\n2. NCUA needs to improve its Risk Management Program\n\n\n\n                                                          Restricted - For Official Use Only\n                                            6\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nNCUA continues to make progress in implementing a comprehensive risk management\nprogram. However, during FY2012, NCUA did not fully implement a risk management\nprogram compliant with FISMA requirements. We determined:\n\n    \xe2\x80\xa2   NCUA\xe2\x80\x99s risk management program documentation does not include organization-\n        wide risk management strategies from organization, information, mission or\n        business process perspectives. Specifically, NCUA policies and procedures do\n        not address all the areas of the NIST Risk Management Framework process as\n        listed below:\n\n        o Selecting Security Controls \xe2\x80\x93 Management does not have procedures to\n          identify and select security controls that are specific to each system. For\n          example:\n\n             \xef\x83\xbc NCUA did not address all of the 202 moderate baseline controls included\n               in the 17 control families 3 it identified for its General Support System\n               (GSS).\n\n             \xef\x83\xbc NCUA\xe2\x80\x99s Asset Management and Assistance Center (AMAC) security plan\n               did not address each of the minimum security controls applicable to the\n               system\xe2\x80\x99s security categorization and did not match the control families\n               identified in NIST SP 800-53. This is a repeat finding from the FY 2011\n               FISMA evaluation.\n\n        o Assessing Security Controls \xe2\x80\x93 NCUA does not have procedures on how it will\n          test security controls. Specifically, out of the 17 control families required by\n          NCUA, NCUA only tested 10 control families for the GSS. In addition, each\n          control family did not include all the controls from NIST SP 800-53 as\n          indicated above. As a result, NCUA did not test all the controls within the 10\n          control families.\n\n        o Monitoring Security Controls \xe2\x80\x93 NCUA does not have adequate procedures to\n          monitor security controls specific to the NCUA environment.\n\n    \xe2\x80\xa2   NCUA did not complete the annual testing of security controls for all the agency\xe2\x80\x99s\n        systems.\n\n    \xe2\x80\xa2   NCUA does not perform or explicitly consider security impact analyses of the\n        GSS and the Insurance Information System (IIS) prior to implementation of\n        configuration changes.\n\n\n\n3\n  NIST SP 800-53 identifies 18 control families. Seventeen of the control families align with the minimum security\nrequirements for federal information and information systems as described in FIPS 200, Minimum Security\nRequirements for Federal Information and Information Systems (March 2006). The remaining control family provides\ncontrols for information security programs.\n\n                                                                           Restricted - For Official Use Only\n                                                        7\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n   \xe2\x80\xa2   NCUA is operating four of its five FISMA systems - the IIS; AMAC; Examination\n       Support System (ESS); and Online Data Collection System (ODCS) - without the\n       required Authority to Operate (ATO). The ATOs for these systems expired in\n       2012:\n\n   \xe2\x80\xa2   NCUA does not have a formal mechanism in place to report the status of\n       information security to senior management.\n\nThe Risk Management Framework - as prescribed by NIST SP 800-37 - is the\nfoundation for implementing and maintaining an effective information security program.\nNIST SP 800-37 provides guidelines for applying the Risk Management Framework to\nfederal information systems to include conducting the activities of security\ncategorization, security control selection and implementation, security control\nassessment, information system authorization, and security control monitoring.\n\nFIPS PUB 200, Minimum Security Requirements for Federal Information and Information\nSystems (March 2006), requires agencies to: periodically assess the security controls\nin organizational information systems to determine if the controls are effective in their\napplication; develop and implement plans of action designed to correct deficiencies and\nreduce or eliminate vulnerabilities in organizational information systems; authorize the\noperation of organizational information systems and any associated information system\nconnections; and monitor information system security controls on an ongoing basis to\nensure the continued effectiveness of the controls.\n\nNCUA does not have sufficient dedicated information security resources to monitor\nfederal guidance on a periodic basis and maintain its procedures in compliance with that\nguidance or to perform security authorization functions separate from system owners.\n\nIn response to the FY 2011 FISMA evaluation, NCUA indicated it was going to: (1)\nwork with AMAC to update the security plan; and (2) consolidate of all its systems as\nappendices into one system security plan under the General Support System. NCUA\nhas been planning since last year to consolidate its five FISMA systems under its\nGeneral Support System (GSS) via the security authorization process. NCUA planned\nto complete the security authorization by July 2012; however, due to key information\ntechnology staff changes, the security authorization was delayed and is currently in\nprocess. Completing the security authorization should address NCUA\xe2\x80\x99s Authority to\nOperate its system(s) and the issues with the AMAC security plan, which would be\nconsolidated under the GSS security plan.\n\nWith updated and approved program policies and procedures to support its Risk\nManagement program, NCUA will be able to better manage its information systems-\nrelated risks consistent with the Risk Management Framework. In addition, by ensuring\nits systems are operating with a valid ATO, coupled with a comprehensive annual\ncontrol testing program, and a complete and comprehensive POA&M tracking program,\nNCUA could avoid or mitigate system issues that could adversely impact NCUA\noperations. Furthermore, by performing security impact analysis of system\n\n                                                          Restricted - For Official Use Only\n                                            8\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nconfiguration changes, NCUA could mitigate the chance of introducing configuration\nchanges that could adversely impact the confidentiality, integrity and availability of its\nsystems. Finally, adequate segregation of duties in the system security authorization\nprocess would help mitigate intentional, inadvertent or missed threats to information\nsystems security within the NCUA systems environment.\n\nRecommendations: We recommend that NCUA management:\n\n2. Review its risk management program documentation and update policies and\n   procedures based on the prescribed risk management strategies outlined within\n   NIST guidance.\n\n3. Schedule and complete the system security authorization process on a timely basis\n   such that all agency systems are continuously operating under a valid approved\n   Authority to Operate.\n\n4. Document, implement, and annually test all controls for its systems as identified in\n   NIST guidance.\n\n5. Implement and monitor the timely completion of annual security testing.\n\nAgency Response:\n\nOCIO is currently executing an independent certification and accreditation process\nwhich covers the entire new consolidated NCUA GSS. This process will address all\nissues listed here including updates to the documentation necessary to support future\nrisk management actions.\n\nDue Date: 7/29/2013\n\nOIG Response: The OIG concurs.\n\n\n3. NCUA needs to improve its Plan of Action and Milestones (POA&M) Process\n\nWhile NCUA has an active POA&M process in place, we determined that NCUA policies\nand procedures do not provide adequate guidance in regards to how NCUA should\nmanage its POA&M process. Specifically, NCUA has not defined the thresholds for the\nfindings that should be added to the POA&M process and how findings outside of the\nPOA&M process are tracked and remediated. In addition, NCUA does not have\nprocedures to: prioritize POA&M items; track the POA&M items within the SharePoint\nsystem; define the level of effort to close POA&M items; and define the timeframe for\nupdating and escalating the POA&M process to management.\n\nNIST SP 800-53 guides that organizations: develop POA&Ms for the information\nsystem to document the organization\xe2\x80\x99s planned remedial actions to correct weaknesses\n\n\n                                                             Restricted - For Official Use Only\n                                              9\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nor deficiencies noted during the assessment of the security controls and to reduce or\neliminate known vulnerabilities in the system; and update existing POA&Ms based on\nthe findings from security controls assessments, security impact analyses, and\ncontinuous monitoring activities. In addition, a dedicated information security resource\nis critical to ensuring that the CIO, Deputy CIO, system owners and other key NCUA\nstaff are continually updated and aware of information security requirements, the risk\nposture of NCUA systems, and the status of mitigation plans.\n\nNCUA does not have a dedicated resource to enhance or update POA&M policies and\nprocedures or to manage the tasks associated with the POA&M process.\n\nBy enhancing its POA&M policies and procedures and dedicating an independent\ninformation security resource to manage the POA&M process, NCUA can correct\ninformation security weaknesses and deficiencies in a more adequate and timely\nmanner. These enhancements would effectively improve the overall security of its\ninformation systems environment and better protect NCUA systems and data.\n\nRecommendations: We recommend that NCUA management:\n\n6. Enhance its POA&M policies and procedures.\n\n7. Dedicate an independent information security resource to manage the POA&M\n   process.\n\nAgency Response:\n\nOCIO will enhance procedures to refine the POA&M process to address the specific\nissues listed above. We would like to note one exception here. Findings outside the\nPOA&M process will continue to be addressed on a case-by-case basis.\n\nOCIO is currently going through reorganization and has designated a dedicated position\nfor the Information Security Officer.\n\nDue Date: 7/29/2013\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                          Restricted - For Official Use Only\n                                           10\n\x0c\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nBy documenting and establishing a comprehensive configuration management program,\nNCUA can more effectively and efficiently monitor, manage, and patch the security\nconfigurations for all systems and devices within the NCUA information system\nenvironment. Ultimately, a more comprehensive program will help ensure NCUA\nprotects the confidentiality, integrity and availability of all the agency\xe2\x80\x99s systems and\ndata.\n\nRecommendations: We recommend that NCUA management:\n\n8. Establish a comprehensive configuration management program that includes policy\n   and procedures for monitoring, managing, and patching security configurations for\n   all systems and devices:\n\n9. Provide dedicated information security resources responsible for implementing,\n   managing and overseeing NCUA\xe2\x80\x99s configuration management program.\n\n10. Review and determine whether it would be in the best interest of NCUA\xe2\x80\x99s overall\n    information security posture to transfer responsibility for the UNIX environment from\n    AMAC to the OCIO.\n\nAgency Response:\n\nOCIO will conduct an analysis of the current configuration management program in light\nof the new NIST guidance. The new ISO will be responsible for management and\noversight of this program.\n\nOCIO will work with the OED to address managing AMAC operations to ensure a proper\nsecurity posture.\n\nDue Date: TBD\n\nOIG Response: The OIG concurs.\n\n\n5. NCUA needs to improve its Identity and Access Management Controls\n\nWe determined NCUA\xe2\x80\x99s access management policies and procedures are not in\ncompliance with NIST guidelines and have not been updated to reflect NCUA\xe2\x80\x99s current\nprocedures. Specifically:\n\n   \xe2\x80\xa2   NCUA\xe2\x80\x99s process for providing access to new hires is not adequate. NCUA\xe2\x80\x99s user\n       access documentation does not always include the specific level of access\n       requested for the user or clearly indicate who approved the user access request.\n\n\n\n\n                                                           Restricted - For Official Use Only\n                                           12\n\x0c\x0c\x0c\x0c\x0c\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n\n   \xe2\x80\xa2   NCUA has not documented and implemented preventive controls, planned\n       maintenance, or strategies for its Insurance Information System (IIS).\n\n   \xe2\x80\xa2   The results of the IIS Contingency Plan test do not provide an after action report\n       or evidence of corrective actions taken.\n\n   \xe2\x80\xa2   NCUA does not have approval letters for its General Support System (GSS) and\n       IIS Contingency Plans to validate that the Plan documentation is complete.\n\n   FIPS PUB 200 requires agencies to establish, maintain, and effectively implement\n   plans for emergency response, backup operations, and post-disaster recovery for\n   organizational information systems to ensure the availability of critical information\n   resources and continuity of operations in emergency situations.\n\n   NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information\n   Systems (May 2010), guides that in order for an agency to develop and maintain an\n   effective information system contingency plan, the process must include the\n   following seven steps that represent key elements in a comprehensive information\n   system contingency planning capability:\n\n       \xe2\x80\xa2   Developing the policy;\n\n       \xe2\x80\xa2   Conducting the business impact analysis;\n\n       \xe2\x80\xa2   Identifying preventive controls;\n\n       \xe2\x80\xa2   Creating contingency strategies;\n\n       \xe2\x80\xa2   Developing a contingency plan;\n\n       \xe2\x80\xa2   Ensuring plan testing, training, and exercises; and\n\n       \xe2\x80\xa2   Ensuring plan maintenance\n\nNIST SP 800-53 guides that the organization should revise its contingency plans to\naddress: changes to the organization, information system, or operational environment;\nand problems encountered during plan implementation, execution, and testing. NIST\nSP 800-53 also guides that a designated official should review and approve the\norganization\xe2\x80\x99s contingency plans.\n\nNCUA has been planning to consolidate its five systems into one overall system under\nits General Support System (GSS) since last year via its security authorization process.\nNCUA planned to complete the security authorization by July 2012; however, due to key\ninformation technology management changes, the security authorization was delayed\n\n\n                                                           Restricted - For Official Use Only\n                                              18\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nand is currently in process. Completing the security authorization should remediate the\nissues under this finding.\n\nBy implementing complete, comprehensive and current contingency planning, NCUA\nwill have better assurance that its mission-critical system(s) will be able to continue to\noperate in an emergency situation whether that involves restoring data or relocating to\nan alternate processing site.\n\nRecommendations: We recommend that NCUA management:\n\n21. Ensure that NCUA\xe2\x80\x99s contingency planning process and its consolidated Contingency\n    Plan include the following missing components:\n\n       \xe2\x80\xa2   A plan approval letter to validate that the Contingency Plan documentation is\n           complete.\n\n       \xe2\x80\xa2   Documented and implemented preventive controls, planned maintenance,\n           and strategies.\n\n22. Ensure that NCUA documents evidence of corrective actions taken or an after action\n    report as a result of Contingency Plan testing.\n\nAgency Response:\n\nMost of the issues will be resolved by the current C&A effort. OCIO will work with OED\nto resolve issue related to AMAC operations.\n\nDue Date: TBD\n\nOIG Response: The OIG concurs.\n\n\n9. NCUA needs to improve its Security Capital Planning and Investment Program\n\nWe determined NCUA\xe2\x80\x99s agency wide Information Security Procedures do not\nadequately address a structured process to evaluate security-related needs and\nperform budgeting at a sufficiently detailed level. Specifically, NCUA does not have\nspecific guidelines for planning, budgeting, and mapping major capital information\ntechnology security resource expenditures according to POA&Ms and other information\ntechnology-related initiatives. For example, we reviewed the POA&M for records\nrelated to NCUA\xe2\x80\x99s General Support System (GSS) and its Insurance Information\nSystem (IIS) to assess whether NCUA coordinates its budgeting activities for\ninformation technology security expenses with its POA&M remediation expenses. We\nfound that NCUA\xe2\x80\x99s annual budget did not include distinct line items traceable to the\nagency\xe2\x80\x99s POA&M entries.\n\n\n\n                                                            Restricted - For Official Use Only\n                                            19\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nNIST SP 800-53 guides that organizations: include a determination of information\nsecurity requirements for the information system in their mission/business process\nplanning; determine, document, and allocate the resources required to protect the\ninformation system as part of its capital planning and investment control process; and\nestablish a discrete line item for information security in organizational programming and\nbudgeting documentation. In addition, NIST SP 800-53 guides that organizations\nshould ensure that all capital planning and investment requests include the resources\nneeded to implement the information security program and document all exceptions to\nthis requirement.\n\nBy implementing a comprehensive Capital Planning and Investment Control process,\nNCUA would help ensure the agency adequately budgets its funding needs for all of its\ninformation technology security expenses. This process would help NCUA more\nefficiently mitigate risks and vulnerabilities within NCUA\xe2\x80\x99s information technology\nenvironment, ultimately helping to protect the confidentiality, integrity, and availability of\nNCUA\xe2\x80\x99s systems and data.\n\nRecommendations: We recommend that NCUA management:\n\n23. Implement Capital Planning and Investment Control procedures and guidelines to\n    consistently and systematically drive the evaluation and documentation of security-\n    related resources in the capital planning process. The guidance should include\n    documentation requirements with respect to budgeting for all information security\n    program expenses that would normally occur. These would include such expenses\n    as the cyclical security authorization process, risk identification and mitigation\n    activities, remediation of security weaknesses, and activities associated with day-to-\n    day information security operations.\n\n24. Implement a process to periodically monitor information technology security-related\n    expenses against the budget for each information technology security component.\n\nAgency Response:\n\nOCIO is in the process of developing an IT prioritization council that will factor\ninformation security costs and required resources as part of the budgeting process.\nHowever, OCIO has not requested specific funding for information security in the past.\nOCIO will work with OED on budgeting for information security matters.\n\nDue Date: TBD.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                              Restricted - For Official Use Only\n                                              20\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n10. NCUA needs to improve its Security Awareness Training Program\n\nWe determined NCUA procedures for Security Awareness Training (SAT) and\nrole-based training do not reflect current NIST guidance. Specifically, NCUA does not\nhave documented procedures for reviewing the timely completion of security awareness\ntraining by new hires. In addition, NCUA has not established a specific timeframe within\nwhich new hires must complete the agency\xe2\x80\x99s rules of behavior, or sanctions for new\nhires who do not complete the rules of behavior. Furthermore, NCUA: (1) does not\nhave a formal and documented process to identify all roles that need specialized\nsecurity training; and (2) does not specify the types and the frequency of the specialized\ntraining, or the personnel required to attend the training.\n\nNIST SP 800-53 guides that organizations should provide basic security awareness\ntraining to all information system users (including managers, senior executives, and\ncontractors) as part of initial training for new users, when required by system changes,\nand periodically thereafter. In addition, NIST SP 800-16, Information Technology\nSecurity Training Requirements: A Role- and Performance-Based Model (April 1998),\nrequires training: for current employees; new employees within 60 days of hire;\nwhenever there is a significant change in the agency's IT security environment or\nprocedures, or when an employee enters a new position which deals with sensitive\ninformation; and periodically as refresher training, based on the sensitivity of the\ninformation the employee handles. NIST SP 800-53 also guides that organizations\nprovide role-based security-related training before authorizing access to a system or\nperforming assigned duties; when required by system changes; and periodically\nthereafter.\n\nNCUA does not have dedicated information security resources to develop, document,\nimplement and monitor a robust security awareness training program that meets NIST\nguidance and requirements.\n\nBy implementing a current and effective security awareness training program, NCUA\nmanagement can help ensure all personnel receive the required security training. This\nincludes role-based training for individuals with system security responsibilities such as\nsystem administrators, system owners and individuals that play a critical role in the\nadministration of information security at NCUA. Individuals who receive adequate and\ncurrent security training and who are aware of their security responsibilities will be better\nprepared to perform their assigned duties in the most secure manner. Ultimately, this\nhelps NCUA protect the confidentially, availability, and integrity of its systems and data.\n\nRecommendations: We recommend that NCUA management:\n\n25. Designate dedicated information security resources to:\n\n   \xe2\x80\xa2   Update the general security awareness training program and role-based training\n       program to meet NIST guidance and requirements.\n\n\n\n                                                             Restricted - For Official Use Only\n                                             21\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\n   \xe2\x80\xa2   Monitor and track the timely completion of new hire security awareness training\n       and establish and enforce sanctions for non-compliance.\n\n   \xe2\x80\xa2   Periodically review and update the list of individuals that need role-based\n       training; specify frequency of role-based training; and enforce timely completion\n       of role-based training.\n\nAgency Response:\n\nOCIO will continue to improve security awareness policies and procedures to be\nconsistent with NIST guidelines. OCIO will assign a backup to ensure that the daily\nreport for new hire security awareness training is run and enforced. OCIO will complete\nthis year\xe2\x80\x99s role-based security training.\n\nDue Date: 7/29/2013\n\nOIG Response: The OIG concurs.\n\n\n11. NCUA needs to improve Oversight of its Contractor Systems\n\nWhile NCUA has a current inventory of contractor systems operating in or connected to\nthe NCUA environment, NCUA has not fully implemented a formal contractor oversight\nmanagement process in alignment with the applicable federal guidelines. Specifically:\n\n   \xe2\x80\xa2   Current NCUA policies and procedures do not provide sufficient guidance in\n       regards to how NCUA should monitor and assess information security\n       requirements for its contractor systems. For example:\n\n          o NCUA does not have a formal process in place for maintaining sufficient\n            assurance that security controls of contractor provided or hosted systems\n            and services - such as the GSA-PIV (Personal Identity Verification) and\n            the Angel Parature systems - are effectively implemented and comply with\n            federal and NCUA guidelines.\n\n          o NCUA does not have a process in place to ensure it obtains the System\n            Security Plans (SSPs) of contractor systems. Specifically, NCUA does not\n            have the SSPs for two of its three contractor systems - the Angel Parature\n            or the GSA PIV systems.\n\n          o NCUA does not have a formal process for capturing and maintaining an\n            inventory of contractor systems under FISMA inventory requirements.\n\n   \xe2\x80\xa2   NCUA does not have a Memorandum of Understanding or Interconnection\n       Security Agreement (MOU/ISA) for the Angel Parature system.\n\n\n\n                                                           Restricted - For Official Use Only\n                                           22\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nNIST SP 800-53 guides that organizations develop and maintain an inventory of its\ninformation systems. In addition, NIST SP 800-53 guides that organizations: authorize\nconnections from their information systems to other information systems outside of the\nauthorization boundary through the use of Interconnection Security Agreements, and\ndocument - for each connection - the interface characteristics, security requirements\nand the nature of the information communicated; and monitor the interconnections on\nan ongoing basis to verify enforcement of security requirements.\n\nWhile OCIO is centrally responsible for the security of all systems operating in the\nNCUA environment, functional system owners are responsible for obtaining and\nmaintaining system security documentation for their contractor systems without\noversight from or the involvement of OCIO.\n\nBy improving its contractor oversight process, NCUA can have better assurance that\ncontractor systems operating in or connected to the NCUA systems environment have\nthe same information security measures implemented as NCUA\xe2\x80\x99s systems. As a result,\nNCUA could better ensure that threats to its network are protected against compromise\nand better ensure the confidentiality and integrity of NCUA data.\n\nRecommendations: We recommend that NCUA management:\n\n26. Develop and implement a formal process to centrally monitor and maintain an\n    inventory of contractor systems and obtain from system owners the associated\n    approved security documentation (e.g., System Security Plans, Interconnection\n    Security Agreements, etc.) in accordance with NIST guidance.\n\nAgency Response:\n\nOCIO will improve policies and procedures to monitor security of contractor systems.\nOCIO will work with system owners to maintain appropriate security documents in\naccordance with NIST guidance.\n\nOCIO would like to make one observation. It is not always possible to obtain security\nplans for contractor systems. In lieu of a security plan we gather SAE16 documents\nand Accreditation letters.\n\nDue Date: 7/29/2013\n\nOIG Response: The OIG concurs.\n\n\n12. NCUA needs to improve its Privacy Program\n\nNCUA has not completed an initial review of its holdings of Personally Identifiable\nInformation (PII), and if necessary, reduced its use of PII and Social Security Numbers\n(SSNs). This is a repeat finding from the FY 2011 FISMA evaluation. In addition,\n\n\n                                                           Restricted - For Official Use Only\n                                            23\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nNCUA has not done an assessment to determine whether it needs to conduct a Privacy\nImpact Analysis (PIA) for its systems and has not developed a privacy program to\nmonitor its use and handling of PII on a continuing basis.\n\nNIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable\nInformation (PII) (April 2010), indicates that organizations: are required to identify all PII\nresiding within their organization or under the control of their organization through a\nthird party; and should minimize the use, collection, and retention of PII to what is\nstrictly necessary to accomplish their business purpose and mission. It also reiterates\nthat OMB Memorandum-07-16, Safeguarding Against and Responding to the Breach of\nPersonally Identifiable Information (May 22, 2007), required that agencies:\n\n    \xe2\x80\xa2    Review current holdings of PII and ensure they are accurate, relevant, timely,\n         and complete;\n\n    \xe2\x80\xa2    Reduce PII holdings to the minimum necessary for proper performance of\n         agency functions;\n\n    \xe2\x80\xa2    Develop a schedule for periodic review of PII holdings; and\n\n    \xe2\x80\xa2    Establish a plan to eliminate the unnecessary collection and use of SSNs.\n\nOMB Memorandum-03-22, OMB Guidance for Implementing the Privacy Provisions of\nthe E-Government Act of 2002 (September 26, 2003), indicates that in addition to the\nrequirements identified in the E-Government Act, agencies must in general perform and\nupdate a PIA as necessary where a system change creates new privacy risks.\n\nNIST SP 800-122 guides that organizations often use a Privacy Threshold Analysis\n(PTA) to determine if a system contains PII, whether a PIA is required, whether a\nSystem of Records Notice (SORN) is required, and if any other privacy requirements\napply to the information system. 5 It adds that PTAs are useful in initiating the\ncommunication and collaboration for each system between the privacy officer, the\ninformation security officer, and the information officer.\n\nOrganizational and staff changes surrounding oversight of the privacy program delayed\nNCUA in completing its initial review of PII. In addition, NCUA was not aware that it\nneeded to conduct a PIA on its existing systems.\n\nBy performing a review to determine the amount of PII the agency holds and conducting\na PTA (or PIA) for its systems, NCUA will mitigate the risk of exposing its sensitive data\nto a breach of confidentiality by an authorized or unauthorized entity. Ultimately, this\ncould prevent public embarrassment for the agency and a loss of trust by the public.\n\n\n5\n Other examples of methods to identify PII include reviewing system documentation, conducting interviews,\nconducting data calls, using data loss prevention technologies (e.g., automated PII network monitoring tools), or\nchecking with system and data owners.\n\n                                                                              Restricted - For Official Use Only\n                                                         24\n\x0cREPORT # OIG-12-13: INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\nCOMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA) 2012\n\n\nRecommendations: We recommend that NCUA management:\n\n27. Complete an initial review of NCUA\xe2\x80\x99s current holdings of Personally Identifiable\n    Information (PII) and, if necessary, develop a plan to reduce any unnecessary use of\n    PII.\n\n28. Assess whether NCUA\xe2\x80\x99s system(s) require a PIA in the near term.\n\n29. Develop a privacy program that includes policies and procedures for monitoring the\n    usage and handling of PII on a continuous basis, determining when to perform a\n    PIA, and the process for completing a PIA.\n\nAgency Response:\n\nThe Office of General Counsel agrees with the recommendations and the Senior\nAgency Official for Privacy (SAOP) has initiated responsive actions. For example, in\nconjunction with NCUA\xe2\x80\x99s IT Systems Inventory Initiative, we are collecting information\nidentifying systems containing PII and whether a PIA is required. We also are\ncoordinating with the Office of the Chief Information Officer to identify planned system\nchanges or procurements that will require a PIA. Additionally, as part of a\ncomprehensive review of NCUA\xe2\x80\x99s privacy program, NCUA will review and revise as\nnecessary its general privacy instruction and individual offices\xe2\x80\x99 policies and procedures\nto address the usage and handling of PII. We will also continue ongoing privacy\nawareness training efforts including an expansion of targeted training for individual\noffices.\n\nOIG Response: The OIG concurs.\n\n\n\n\n                                                           Restricted - For Official Use Only\n                                            25\n\x0c"